The Document Object Model (DOM) for
HTML is quite useful for handling a variety of dynamic effects for web
with it) in ways
that are sometimes surprising—the DOM has often been the source of browser
bugs. A new project, from well-known DOM bug finder
Michal Zalewski, seeks to systematically exercise the DOM in browsers to
eliminate as many holes as it can.
The project, with the unassuming name of DOM access checker (or
dom-checker) was just announced
on the full-disclosure mailing list (along with Bugtraq and others).
Zalewski and colleague Filipe Almeida, both of Google, describe their tool
DOM access checker is a tool designed to
automatically validate numerous aspects of domain security policy
calls, event and transition handling) to detect common security attack or
information disclosure vectors.
file that can be loaded from the internet via HTTP (a live version is available from
the project website) or from the local disk, using the file://
protocol. Ideally, they should be loaded from both places and give the
same results. The screenshot for a sample run using Firefox 3
(Fedora/3.0b3pre-0.beta2.12.nightly20080121.fc9 for the curious) is at left.
harness runs 15 major tests, each with many separate subtests. Each
subtest reports success or failure to the screen as it runs. Firefox 3
failed 15 of the 1500 or so checks in the standard set of tests.
to the announcement, "DOM Checker had been used to find a number of
major security bypass and information disclosure problems in several
popular browsers." Zalewski and Almeida worked with the browser
teams to resolve the most serious issues.
But, common browsers will still fail up to 30 of the
less important tests—for privacy, rather than
The hope is that the browser vendors pick up these tests to use as part of
their quality assurance process. They could also be used for regression
testing to find problems that have crept in while fixing other bugs or
adding new features. The checker is a framework that could easily be
extended with additional tests covering other areas of DOM functionality.
With the advent of AJAX, DOM
are being used more and more by web sites, so tools to discover these kinds
of bugs are welcome.
to post comments)